© 2025 OBIQUITECH

Info-Stealer Malware and BYOD: A Playbook

Info-Stealer Malware and BYOD: A Playbook

November 13, 2025 | 5:06 pm

The Australian Signal’s Directorate today published a great article on info stealer malware. In this article we’ll highlight key points from that, as well as drawing on other, supporting research to give you a playbook of sorts.

In the shift to hybrid work, remote access, and Bring-Your-Own-Device (BYOD) models, one of the less visible but increasingly serious cyber-threats for Australian small and medium businesses (SMBs) — and for individuals using personal devices — is information-stealer malware (also called “info-stealers”).

This is exactly the kind of threat flagged by the Australian Signals Directorate’s (ASD) cyber-arm: the Australian Cyber Security Centre (ACSC). Their report “The silent heist: cybercriminals use information stealer malware to compromise corporate networks” outlines how these tools operate and why the risk is real in Australia.

For conveyancers, professional services firms, and other Aussie SMBs, this presents a double risk — personal devices bleed into business access, and the consequences can extend well beyond a single machine. Let’s unpack what info-stealer malware is, why it matters to Australian SMBs and individuals, and what you should be doing right now.

What is Info-Stealer Malware?

Info-stealers are a class of malicious software designed primarily to collect sensitive data from a compromised device — often quietly, without immediately disruptive symptoms. Some key points (based on the ACSC’s advisory):

  • They can steal user credentials (usernames, passwords, backup codes, VPN/FTP credentials), browser-stored data (autofill, session cookies), communication logs, local files and system information (OS, installed applications, anti-virus details).
  • Cyber-criminals may use stolen credentials (especially from personal devices used for business) to gain initial access to corporate networks, and then deploy more damaging assets (ransomware, business email compromise, lateral movement).
  • Typical infection vectors include phishing attachments/links, malicious advertising or websites, and software downloads (often cracked or unlicensed tools).
  • The “silent” nature is important: the device may not display obvious signs of infection because the attacker’s objective is stealth and persistence.

In short: this is not a “lights-out ransomware” incident (at least initially); it’s a covert credential theft and network infiltration vector.

Why Australian SMBs Should Care

For SMBs in Australia — including those in conveyancing, legal services, professional services, property-related work — the threat is real and growing. Here’s why:

  • The ASD/ACSC advisory explicitly identifies breaches in Australian corporate networks that began via personal devices connected remotely, where stolen valid credentials were the initial foothold.
  • Many SMBs assume they’re “too small” to be a target. However, criminals focus on the path of least resistance: weak BYOD controls, unmanaged personal devices, saved credentials in browsers, shared devices, etc. Research shows the small business sector is under-resourced in cybersecurity.
    • The documented source of the MediBank breach in Australia was through saved credentials in a browser
  • SMBs often use remote access, cloud services, or contractor engagement — so any compromised credential can give attackers broad access. The ACSC warns that stolen credentials from personal devices are “highly valuable” as an initial access vector.
  • For industries like conveyancing where you handle client data, property transactions, financial interactions — the reputational and compliance risks are heightened. A breach could trigger regulatory obligations (e.g., data breach notifications) and damage trust.

Why Individuals, Especially Those Using Personal Devices for Work, Should Care

Employees, contractors or anyone accessing business systems from a personal device can be a key link in this chain. Think of it this way: your personal device might not have the same rigor of security as a corporate-managed endpoint — so it becomes a vulnerability. Here’s what to watch:

  • If your personal device is infected with an info-stealer, your credentials (personal and work) can be harvested and used to access business systems. The ACSC notes that some breaches arose because employees used personal devices to access work resources.
  • Browser-saved passwords, auto-fill settings, “remember me” logins, downloaded extensions — all of these may present a risk if the malware harvests them. The ACSC explicitly mentions browser data (history, session cookies, autofill) among the items stolen.
  • Mixing personal and business usage on the same device: installing untrusted software, clicking adware, using peer-to-peer/downloaded content — these increase the risk of infection. For example, a specialist site noted that in Australia “infostealers” are often distributed via fake installers, cracked software.
  • If your device is compromised and connected to the corporate network (VPN, RDP, remote desktop, cloud apps), you become the weak link that enables a larger incident.

Practical Mitigation Strategies for SMBs & Individuals

Here are tailored actions for SMBs and the individuals who work with them.

For SMBs

  1. Strong MFA Deployment – Ensure all remote access, cloud services, privileged accounts have multi-factor authentication enabled. Where possible use phishing-resistant MFA (e.g. hardware keys, passkeys). The ASD guidance emphasises verifying identity beyond just a password.
  2. BYOD / Managed Device Policy – If you permit personal devices to connect to work systems:
    • Define and enforce minimum security standards (OS updates, anti-malware, no shared accounts)
    • Consider separating work profiles from personal usage (containerisation, MDM)
    • Where feasible, provide corporate-managed devices instead of relying solely on personal ones
    • The ACSC warns of unmanaged personal devices being higher risk.
  3. Credential Hygiene – Enforce separate credentials for work vs personal services. Discourage saving business credentials in personal browser password stores or auto-fill.
  4. Endpoint Security & Patching – Ensure devices (both corporate and BYOD) have antivirus/endpoint detection, are patched promptly, minimise untrusted software installations. The fact sheet from IDCARE emphasises malware (including info-stealers) as a stealth risk for small businesses.
  5. Network Segmentation & Least Privilege – Limit how much access any one device or account has. If an info stealer harvests credentials, limit the potential blast radius.
  6. User Awareness & Training – Provide your users and contractors with training on phishing, suspicious downloads, managing browser-based credentials, use of untrusted software, personal device hygiene.
  7. Incident Response Plan – Have a clear plan: what if credentials are stolen, remote access is used by an unauthorised party, or a device is compromised. Know how you will respond, contain, and recover.
  8. Stay Informed – The threat landscape evolves quickly (e.g., info-stealer tools offered as MaaS). Stay up-to-date via alerts or a trusted IT & Cybersecurity partner. 

For Individuals – Team Members, Contractors, Personal Device Users and yes – Home Users

  1. Use Password Manager – Use a reputable password manager (not browser-saved logins) and unique, strong pass-phrases. Turn on MFA for your personal and work accounts.
  2. Avoid Sharing Work Credentials in Browsers – Consider not using browser auto-fill/“remember me” for work-related logins on your personal device. The ACSC identifies browser data and cookies as key targets.
  3. Be Careful with Downloads and Software – Avoid using cracked software, unverified websites, downloads from ad banners or unknown sources. Info-stealers often use these vectors.
  4. Keep Separate Work / Personal User Where Possible – If practicality allows, maintain a device solely for work or keep personal and work profiles separate.
  5. Watch for Warning Signs – Even though info-stealers are stealthy, you might see unusual account activity (login from unfamiliar location, password changes, blocked access), more spam/unfamiliar emails or transactions. The ACSC lists these indicators.
  6. Ensure Your Device is Updated & Protected – Use the latest OS updates, enable automatic updates, use reliable endpoint/antivirus protection, avoid disabling security features for convenience.
  7. Use Caution on Public or Shared Networks – Remote access from insecure WiFi or shared devices increases risk.
  8. Educate Yourself – Understand that your personal device may form the ingress point for business systems; good personal hygiene helps the whole organisation.

Why Now is the Time to Act

  • Info-stealer malware is on the rise in Australian context. The ACSC’s article is recent (actually TODAY, 13th November 2025) and emphasises that stolen credentials from personal devices have already led to corporate network breaches. 
  • Smaller firms often assume low-profile = low risk — but cyber-criminals don’t always care about the size of the target; they care about access. With unmanaged devices, weak credentials, saved passwords, the target becomes accessible.
  • The mix of remote access, BYOD, home-working and contractor access remains high — increasing exposure surface.
  • The cost of a breach (lost revenue, reputational damage, regulatory compliance, incident response) can be severely disproportionate for SMBs — far more costly than proactive protections.
  • For conveyancing and professional services firms, the data you handle (property transactions, client personal details, financial workflows) creates a compelling target for attackers.
  • As your managed service provider (MSP), positioning this threat and mitigation to your clients offers an opportunity to add value — and to elevate their cyber posture.

Industry Specific Example: Conveyancing

  • Conveyancing workflows often involve remote signing, document sharing, email chains, cloud storage of sensitive client information — any of which could be compromised if an attacker obtains credentials via a personal device.
  • Many conveyancers also act as intermediaries between multiple parties (buyers, sellers, banks, brokers, law firms). If your firm or your client’s firm is compromised, the lateral risk increases through that supply-chain linkage.
  • Long client lifecycles and legacy documents mean historical access may be retained; attacker leveraging stolen credentials could access archived systems or client data.
  • Insurers and compliance bodies are increasingly scrutinising how SMBs manage remote access, BYOD, credential hygiene — being able to demonstrate controls around personal device usage, access management, credential management is a differentiator.

Final Thoughts

For Australian SMBs – and especially those making use of remote access and professional services, like conveyancing – the “weak link” is increasingly less about the high-profile direct hack, and more about the credential and device-hygiene chain. An attacker isn’t always tearing through firewalls; sometimes they’re quietly stealing saved browser sessions on a home laptop.

By address the personal-device angle, emphasising strong credential management, BYOD controls, and user awareness, you can significantly reduce the risk posed by info-stealer malware.

Click here for a succinct info-graphic containing a checklist of action points based on this post and the papers it references.

Tags:

Previous

Comments are closed

© 2025 OBIQUITECH. Created with ❤ using WordPress and Kubio